We have a User who is responsible to transact on SAP within two Company Codes. However, the User is reporting to two different Managers.

The one Manager wants the User to utilise transaction FB08 whilst the other one wants this restricted for his Company.

We have found that the user is allowed to run transaction FB08 for both Company Codes even though he only has access thereto for the Company Code which he is allowed to have. I have indicated to my Colleagues that due to the fact that the user has access to transaction FB08 for Company Code 4062 he will also be able to run the transaction for Company Code 1239 as Object F_BKPF_BUK dictates Company Code access with the SAP Authorisations Concept. This theory is however under discussion.

Any input regarding my theory is most welcome and I am looking forward to any suggestions in this regard.

1. Use the enhancement framework to include an additional check on one of the transactions (a developer can help with this)2. Implement a mitigating control (and for 1 user this makes more sense based on the info available) where the dissenting manager reviews activity. Your functional team can give you options for how this can be achieved.

For some strange reason, some people are under the impression that the auth objects only work within the role they are assigned through, so in your case, the F.90 role should not have any impact on the FB08 role. Of course that is nonsense, but I have seen that belief being argued several times...